Recently, while working on an Azure project that involved setting up site-to-site VPN connections for a customer we ran into an issue where we were getting an authentication failure when attempting to connect the on-premises VPN gateway with the Azure VPN gateway. Specifically, we were seeing the following errors in the AzureVnetGateway diagnostics.
Event Header: Timestamp: 1601-01-01T00:00:00.000Z Flags: 0x00000100 IP version field set IP version: IPv4 IP protocol: 0 Local address: 0.0.0.0 Remote address: 0.0.0.0 Local Port: 0 Remote Port: 0 Application ID: User SID: <invalid> Failure type: IKE/Authip Quick Mode Failure Type specific info: Failure error code:0x000035e9 IKE authentication credentials are unacceptable Failure point: Local Keying module type: IKEv2 QM State: Initial state, no QM packets sent QM SA role: Initiator Mode: Tunnel Mode Local Subnet: IPv4 Addr & Mask: 0.0.0.0/0.0.0.0 Remote Subnet: IPv4 Addr & Mask: 0.0.0.0/0.0.0.0 QM Filter ID: 0x0000000000105bd9
Searching the internet leads you to numerous posts about this being a certificate related issue. Unfortunately, those directions are not accurate in this case because a site-to-site VPN doesn’t use certificates for authentication. Instead, it relies on a pre-shared key.
What we found in our case, was that while the pre-shared key set by Azure when the VPN gateway was created matched in both the Azure VPN gateway and the on-premises VPN gateway configuration; the key was too long for the particular Checkpoint device to recognize.